Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging known but dormant malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_DmGz_Target {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "5964966041f93d5d0fb63ce4a85cf9f7a73845065e10519b0947d4a065fdbdf2"
   strings:
      $s1 = "\\\\.\\%ls" fullword ascii
      $s3 = "6\"6<6C6H6M6Z6f6t6" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a system maintenance script (e.g., schtasks.exe) that uses cmd.exe to execute a script or command.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the parent process chain.

• Scenario: Admin PowerShell Script Execution
  Description: A system administrator runs a PowerShell script (e.g., powershell.exe -Command) that uses cmd.exe to execute a command as part of routine system management.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe or check for CommandLine containing -Command or -File.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool (e.g., Windows Defender, Malwarebytes) performs a full system scan, which may trigger cmd.exe to execute scan-related commands.
  Filter/Exclusion: Check for ProcessName containing MsMpEng.exe, mbam.exe, or other known antivirus process names.

• Scenario: Database Backup Job
  Description: A database backup job (e.g., sqlcmd.exe) is executed via a command line interface using cmd.exe as part of an automated backup process.
  Filter/Exclusion: Filter by ProcessName containing sqlcmd.exe or check for CommandLine containing sqlcmd or database names.

• Scenario: User-Initiated Command Prompt Session
  Description: A user opens a command prompt (cmd.exe) and runs a legitimate command (e.g., ipconfig, netstat, or ping) for troubleshooting.
  Filter/Exclusion: Check for User field matching known administrators or filter by CommandLine